diff options
Diffstat (limited to 'src/libstrongswan/plugins/x509/x509_cert.c')
| -rw-r--r-- | src/libstrongswan/plugins/x509/x509_cert.c | 454 |
1 files changed, 4 insertions, 450 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 0eabc8010..8b228a2b6 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -117,11 +117,7 @@ struct private_x509_cert_t { linked_list_t *subjectAltNames; /** -<<<<<<< HEAD - * List of crlDistributionPoints as allocated char* -======= * List of crlDistributionPoints as x509_cdp_t* ->>>>>>> upstream/4.5.1 */ linked_list_t *crl_uris; @@ -136,8 +132,6 @@ struct private_x509_cert_t { linked_list_t *ipAddrBlocks; /** -<<<<<<< HEAD -======= * List of permitted name constraints */ linked_list_t *permitted_names; @@ -158,7 +152,6 @@ struct private_x509_cert_t { linked_list_t *policy_mappings; /** ->>>>>>> upstream/4.5.1 * certificate's embedded public key */ public_key_t *public_key; @@ -181,9 +174,6 @@ struct private_x509_cert_t { /** * Path Length Constraint */ -<<<<<<< HEAD - int pathLenConstraint; -======= u_char pathLenConstraint; /** @@ -200,7 +190,6 @@ struct private_x509_cert_t { * inhibitAnyPolicy Constraint */ u_char inhibit_any; ->>>>>>> upstream/4.5.1 /** * x509 constraints and other flags @@ -233,8 +222,6 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars( ); /** -<<<<<<< HEAD -======= * Destroy a CertificateDistributionPoint */ static void crl_uri_destroy(x509_cdp_t *this) @@ -282,7 +269,6 @@ static u_int parse_constraint(chunk_t object) } /** ->>>>>>> upstream/4.5.1 * ASN.1 definition of a basicConstraints extension */ static const asn1Object_t basicConstraintsObjects[] = { @@ -324,19 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0, case BASIC_CONSTRAINTS_PATH_LEN: if (isCA) { -<<<<<<< HEAD - if (object.len == 0) - { - this->pathLenConstraint = 0; - } - else if (object.len == 1) - { - this->pathLenConstraint = *object.ptr; - } - /* we ignore path length constraints > 127 */ -======= this->pathLenConstraint = parse_constraint(object); ->>>>>>> upstream/4.5.1 } break; default: @@ -674,11 +648,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, } break; default: -<<<<<<< HEAD - /* unkown accessMethod, ignoring */ -======= /* unknown accessMethod, ignoring */ ->>>>>>> upstream/4.5.1 break; } break; @@ -693,8 +663,6 @@ end: } /** -<<<<<<< HEAD -======= * Extract KeyUsage flags */ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) @@ -749,7 +717,6 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) } /** ->>>>>>> upstream/4.5.1 * ASN.1 definition of a extendedKeyUsage extension */ static const asn1Object_t extendedKeyUsageObjects[] = { @@ -761,11 +728,7 @@ static const asn1Object_t extendedKeyUsageObjects[] = { #define EXT_KEY_USAGE_PURPOSE_ID 1 /** -<<<<<<< HEAD - * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned -======= * Extracts extendedKeyUsage OIDs ->>>>>>> upstream/4.5.1 */ static void parse_extendedKeyUsage(chunk_t blob, int level0, private_x509_cert_t *this) @@ -814,18 +777,11 @@ static const asn1Object_t crlDistributionPointsObjects[] = { { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ -<<<<<<< HEAD - { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */ -======= { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ ->>>>>>> upstream/4.5.1 { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; -<<<<<<< HEAD -#define CRL_DIST_POINTS_FULLNAME 3 -======= #define CRL_DIST_POINTS 1 #define CRL_DIST_POINTS_FULLNAME 3 #define CRL_DIST_POINTS_ISSUER 10 @@ -874,21 +830,10 @@ static void add_cdps(linked_list_t *list, linked_list_t *uris, id->destroy(id); } } ->>>>>>> upstream/4.5.1 /** * Extracts one or several crlDistributionPoints into a list */ -<<<<<<< HEAD -static void parse_crlDistributionPoints(chunk_t blob, int level0, - private_x509_cert_t *this) -{ - asn1_parser_t *parser; - chunk_t object; - int objectID; - linked_list_t *list = linked_list_create(); - -======= void x509_parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list) { @@ -899,36 +844,11 @@ void x509_parse_crlDistributionPoints(chunk_t blob, int level0, uris = linked_list_create(); issuers = linked_list_create(); ->>>>>>> upstream/4.5.1 parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) { -<<<<<<< HEAD - if (objectID == CRL_DIST_POINTS_FULLNAME) - { - identification_t *id; - - /* append extracted generalNames to existing chained list */ - x509_parse_generalNames(object, parser->get_level(parser)+1, - TRUE, list); - - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - char *uri; - - if (asprintf(&uri, "%Y", id) > 0) - { - this->crl_uris->insert_last(this->crl_uris, uri); - } - id->destroy(id); - } - } - } - parser->destroy(parser); - list->destroy(list); -======= switch (objectID) { case CRL_DIST_POINTS: @@ -1017,15 +937,15 @@ static const asn1Object_t certificatePoliciesObject[] = { { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ - { 2, "qualifier", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 3 */ + { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ - { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */ + { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */ { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */ { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */ - { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */ + { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; @@ -1179,7 +1099,6 @@ static void parse_policyConstraints(chunk_t blob, int level0, } } parser->destroy(parser); ->>>>>>> upstream/4.5.1 } /** @@ -1198,7 +1117,7 @@ static const asn1Object_t ipAddrBlocksObjects[] = { { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */ { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */ { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */ - { 2, "end choice/loop", ASN1_EOC, ASN1_END }, /* 12 */ + { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; @@ -1374,14 +1293,6 @@ static const asn1Object_t certObjects[] = { #define X509_OBJ_SIGNATURE 25 /** -<<<<<<< HEAD - * forward declaration - */ -static bool issued_by(private_x509_cert_t *this, certificate_t *issuer); - -/** -======= ->>>>>>> upstream/4.5.1 * Parses an X.509v3 certificate */ static bool parse_certificate(private_x509_cert_t *this) @@ -1481,12 +1392,8 @@ static bool parse_certificate(private_x509_cert_t *this) parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: -<<<<<<< HEAD - parse_crlDistributionPoints(object, level, this); -======= x509_parse_crlDistributionPoints(object, level, this->crl_uris); ->>>>>>> upstream/4.5.1 break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, @@ -1496,11 +1403,7 @@ static bool parse_certificate(private_x509_cert_t *this) parse_authorityInfoAccess(object, level, this); break; case OID_KEY_USAGE: -<<<<<<< HEAD - /* TODO parse the flags */ -======= parse_keyUsage(object, this); ->>>>>>> upstream/4.5.1 break; case OID_EXTENDED_KEY_USAGE: parse_extendedKeyUsage(object, level, this); @@ -1508,8 +1411,6 @@ static bool parse_certificate(private_x509_cert_t *this) case OID_IP_ADDR_BLOCKS: parse_ipAddrBlocks(object, level, this); break; -<<<<<<< HEAD -======= case OID_NAME_CONSTRAINTS: parse_nameConstraints(object, level, this); break; @@ -1530,7 +1431,6 @@ static bool parse_certificate(private_x509_cert_t *this) } this->inhibit_any = parse_constraint(object); break; ->>>>>>> upstream/4.5.1 case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: case OID_NS_CA_POLICY_URL: @@ -1543,15 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, -<<<<<<< HEAD - "libstrongswan.plugins.x509.enforce_critical", FALSE)) - { - DBG1(DBG_LIB, "critical %s extension not supported", -======= "libstrongswan.x509.enforce_critical", TRUE)) { DBG1(DBG_LIB, "critical '%s' extension not supported", ->>>>>>> upstream/4.5.1 (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end; @@ -1584,13 +1478,9 @@ end: hasher_t *hasher; /* check if the certificate is self-signed */ -<<<<<<< HEAD - if (issued_by(this, &this->public.interface.interface)) -======= if (this->public.interface.interface.issued_by( &this->public.interface.interface, &this->public.interface.interface)) ->>>>>>> upstream/4.5.1 { this->flags |= X509_SELF_SIGNED; } @@ -1607,54 +1497,26 @@ end: return success; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.get_type - */ -static certificate_type_t get_type(private_x509_cert_t *this) -======= METHOD(certificate_t, get_type, certificate_type_t, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return CERT_X509; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.get_subject - */ -static identification_t* get_subject(private_x509_cert_t *this) -======= METHOD(certificate_t, get_subject, identification_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->subject; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.get_issuer - */ -static identification_t* get_issuer(private_x509_cert_t *this) -======= METHOD(certificate_t, get_issuer, identification_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->issuer; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.has_subject. - */ -static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject) -======= METHOD(certificate_t, has_subject, id_match_t, private_x509_cert_t *this, identification_t *subject) ->>>>>>> upstream/4.5.1 { identification_t *current; enumerator_t *enumerator; @@ -1695,29 +1557,15 @@ METHOD(certificate_t, has_subject, id_match_t, return best; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.has_issuer. - */ -static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer) -======= METHOD(certificate_t, has_issuer, id_match_t, private_x509_cert_t *this, identification_t *issuer) ->>>>>>> upstream/4.5.1 { /* issuerAltNames currently not supported */ return this->issuer->matches(this->issuer, issuer); } -<<<<<<< HEAD -/** - * Implementation of certificate_t.issued_by. - */ -static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) -======= METHOD(certificate_t, issued_by, bool, private_x509_cert_t *this, certificate_t *issuer) ->>>>>>> upstream/4.5.1 { public_key_t *key; signature_scheme_t scheme; @@ -1764,44 +1612,13 @@ METHOD(certificate_t, issued_by, bool, return valid; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.get_public_key - */ -static public_key_t* get_public_key(private_x509_cert_t *this) -======= METHOD(certificate_t, get_public_key, public_key_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { this->public_key->get_ref(this->public_key); return this->public_key; } -<<<<<<< HEAD -/** - * Implementation of certificate_t.get_ref - */ -static private_x509_cert_t* get_ref(private_x509_cert_t *this) -{ - ref_get(&this->ref); - return this; -} - -/** - * Implementation of x509_cert_t.get_flags. - */ -static x509_flag_t get_flags(private_x509_cert_t *this) -{ - return this->flags; -} - -/** - * Implementation of x509_cert_t.get_validity. - */ -static bool get_validity(private_x509_cert_t *this, time_t *when, - time_t *not_before, time_t *not_after) -======= METHOD(certificate_t, get_ref, certificate_t*, private_x509_cert_t *this) { @@ -1812,7 +1629,6 @@ METHOD(certificate_t, get_ref, certificate_t*, METHOD(certificate_t, get_validity, bool, private_x509_cert_t *this, time_t *when, time_t *not_before, time_t *not_after) ->>>>>>> upstream/4.5.1 { time_t t = when ? *when : time(NULL); @@ -1827,16 +1643,8 @@ METHOD(certificate_t, get_validity, bool, return (t >= this->notBefore && t <= this->notAfter); } -<<<<<<< HEAD -/** - * Implementation of certificate_t.get_encoding. - */ -static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, - chunk_t *encoding) -======= METHOD(certificate_t, get_encoding, bool, private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding) ->>>>>>> upstream/4.5.1 { if (type == CERT_ASN1_DER) { @@ -1847,15 +1655,8 @@ METHOD(certificate_t, get_encoding, bool, CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } -<<<<<<< HEAD -/** - * Implementation of certificate_t.equals. - */ -static bool equals(private_x509_cert_t *this, certificate_t *other) -======= METHOD(certificate_t, equals, bool, private_x509_cert_t *this, certificate_t *other) ->>>>>>> upstream/4.5.1 { chunk_t encoding; bool equal; @@ -1881,12 +1682,6 @@ METHOD(certificate_t, equals, bool, return equal; } -<<<<<<< HEAD -/** - * Implementation of x509_t.get_serial. - */ -static chunk_t get_serial(private_x509_cert_t *this) -======= METHOD(x509_t, get_flags, x509_flag_t, private_x509_cert_t *this) { @@ -1895,20 +1690,12 @@ METHOD(x509_t, get_flags, x509_flag_t, METHOD(x509_t, get_serial, chunk_t, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->serialNumber; } -<<<<<<< HEAD -/** - * Implementation of x509_t.get_subjectKeyIdentifier. - */ -static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) -======= METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { if (this->subjectKeyIdentifier.ptr) { @@ -1930,33 +1717,12 @@ METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, } } -<<<<<<< HEAD -/** - * Implementation of x509_t.get_authKeyIdentifier. - */ -static chunk_t get_authKeyIdentifier(private_x509_cert_t *this) -======= METHOD(x509_t, get_authKeyIdentifier, chunk_t, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->authKeyIdentifier; } -<<<<<<< HEAD -/** - * Implementation of x509_t.get_pathLenConstraint. - */ -static int get_pathLenConstraint(private_x509_cert_t *this) -{ - return this->pathLenConstraint; -} - -/** - * Implementation of x509_cert_t.create_subjectAltName_enumerator. - */ -static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this) -======= METHOD(x509_t, get_constraint, u_int, private_x509_cert_t *this, x509_constraint_t type) { @@ -1977,56 +1743,28 @@ METHOD(x509_t, get_constraint, u_int, METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->subjectAltNames->create_enumerator(this->subjectAltNames); } -<<<<<<< HEAD -/** - * Implementation of x509_cert_t.create_ocsp_uri_enumerator. - */ -static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this) -======= METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -<<<<<<< HEAD -/** - * Implementation of x509_cert_t.create_crl_uri_enumerator. - */ -static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this) -======= METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->crl_uris->create_enumerator(this->crl_uris); } -<<<<<<< HEAD -/** - * Implementation of x509_cert_t.create_ipAddrBlock_enumerator. - */ -static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this) -======= METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks); } -<<<<<<< HEAD -/** - * Implementation of certificate_t.destroy. - */ -static void destroy(private_x509_cert_t *this) -======= METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*, private_x509_cert_t *this, bool perm) { @@ -2051,17 +1789,11 @@ METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*, METHOD(certificate_t, destroy, void, private_x509_cert_t *this) ->>>>>>> upstream/4.5.1 { if (ref_put(&this->ref)) { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); -<<<<<<< HEAD - this->crl_uris->destroy_function(this->crl_uris, free); - this->ocsp_uris->destroy_function(this->ocsp_uris, free); - this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); -======= this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, @@ -2074,7 +1806,6 @@ METHOD(certificate_t, destroy, void, (void*)cert_policy_destroy); this->policy_mappings->destroy_function(this->policy_mappings, (void*)policy_mapping_destroy); ->>>>>>> upstream/4.5.1 DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -2096,56 +1827,6 @@ METHOD(certificate_t, destroy, void, */ static private_x509_cert_t* create_empty(void) { -<<<<<<< HEAD - private_x509_cert_t *this = malloc_thing(private_x509_cert_t); - - this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type; - this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject; - this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer; - this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject; - this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer; - this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; - this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; - this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; - this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; - this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; - this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; - this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags; - this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial; - this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier; - this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier; - this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint; - this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; - this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; - this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; - this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator; - - this->encoding = chunk_empty; - this->encoding_hash = chunk_empty; - this->tbsCertificate = chunk_empty; - this->version = 1; - this->serialNumber = chunk_empty; - this->notBefore = 0; - this->notAfter = 0; - this->public_key = NULL; - this->subject = NULL; - this->issuer = NULL; - this->subjectAltNames = linked_list_create(); - this->crl_uris = linked_list_create(); - this->ocsp_uris = linked_list_create(); - this->ipAddrBlocks = linked_list_create(); - this->subjectKeyIdentifier = chunk_empty; - this->authKeyIdentifier = chunk_empty; - this->authKeySerialNumber = chunk_empty; - this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; - this->algorithm = 0; - this->signature = chunk_empty; - this->flags = 0; - this->ref = 1; - this->parsed = FALSE; - -======= private_x509_cert_t *this; INIT(this, @@ -2194,13 +1875,10 @@ static private_x509_cert_t* create_empty(void) .inhibit_any = X509_NO_CONSTRAINT, .ref = 1, ); ->>>>>>> upstream/4.5.1 return this; } /** -<<<<<<< HEAD -======= * Build a generalName from an id */ chunk_t build_generalName(identification_t *id) @@ -2231,16 +1909,11 @@ chunk_t build_generalName(identification_t *id) } /** ->>>>>>> upstream/4.5.1 * Encode a linked list of subjectAltNames */ chunk_t x509_build_subjectAltNames(linked_list_t *list) { -<<<<<<< HEAD - chunk_t subjectAltNames = chunk_empty; -======= chunk_t subjectAltNames = chunk_empty, name; ->>>>>>> upstream/4.5.1 enumerator_t *enumerator; identification_t *id; @@ -2252,33 +1925,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &id)) { -<<<<<<< HEAD - int context; - chunk_t name; - - switch (id->get_type(id)) - { - case ID_RFC822_ADDR: - context = ASN1_CONTEXT_S_1; - break; - case ID_FQDN: - context = ASN1_CONTEXT_S_2; - break; - case ID_IPV4_ADDR: - case ID_IPV6_ADDR: - context = ASN1_CONTEXT_S_7; - break; - default: - DBG1(DBG_LIB, "encoding %N as subjectAltName not supported", - id_type_names, id->get_type(id)); - enumerator->destroy(enumerator); - free(subjectAltNames.ptr); - return chunk_empty; - } - name = asn1_wrap(context, "c", id->get_encoding(id)); -======= name = build_generalName(id); ->>>>>>> upstream/4.5.1 subjectAltNames = chunk_cat("mm", subjectAltNames, name); } enumerator->destroy(enumerator); @@ -2292,8 +1939,6 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) } /** -<<<<<<< HEAD -======= * Encode CRL distribution points extension from a x509_cdp_t list */ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) @@ -2335,7 +1980,6 @@ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) } /** ->>>>>>> upstream/4.5.1 * Generate and sign a new certificate */ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, @@ -2343,14 +1987,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; -<<<<<<< HEAD - chunk_t ocspSigning = chunk_empty; - chunk_t basicConstraints = chunk_empty; - chunk_t keyUsage = chunk_empty; - chunk_t subjectAltNames = chunk_empty; - chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; - chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; -======= chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty; chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty; chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty; @@ -2358,7 +1994,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; ->>>>>>> upstream/4.5.1 identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -2412,34 +2047,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* encode subjectAltNames */ subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames); -<<<<<<< HEAD - /* encode CRL distribution points extension */ - enumerator = cert->crl_uris->create_enumerator(cert->crl_uris); - while (enumerator->enumerate(enumerator, &uri)) - { - chunk_t distributionPoint; - - distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_S_6, "c", - chunk_create(uri, strlen(uri)))))); - - crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, - distributionPoint); - } - enumerator->destroy(enumerator); - if (crlDistributionPoints.ptr) - { - crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); - } -======= crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris, OID_CRL_DISTRIBUTION_POINTS); ->>>>>>> upstream/4.5.1 /* encode OCSP URIs in authorityInfoAccess extension */ enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris); @@ -2468,18 +2077,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t pathLenConstraint = chunk_empty; -<<<<<<< HEAD - if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT) - { - char pathlen = (char)cert->pathLenConstraint; - - pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen)); -======= if (cert->pathLenConstraint != X509_NO_CONSTRAINT) { pathLenConstraint = asn1_integer("c", chunk_from_thing(cert->pathLenConstraint)); ->>>>>>> upstream/4.5.1 } basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_build_known_oid(OID_BASIC_CONSTRAINTS), @@ -2490,15 +2091,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), pathLenConstraint))); -<<<<<<< HEAD - keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm", - asn1_build_known_oid(OID_KEY_USAGE), - asn1_wrap(ASN1_BOOLEAN, "c", - chunk_from_chars(0xFF)), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_BIT_STRING, "c", - chunk_from_chars(0x01, 0x06)))); -======= /* set CertificateSign and implicitly CRLsign */ keyUsageBits = chunk_from_chars(0x01, 0x06); } @@ -2513,7 +2105,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), asn1_wrap(ASN1_OCTET_STRING, "m", asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits))); ->>>>>>> upstream/4.5.1 } /* add serverAuth extendedKeyUsage flag */ @@ -2542,11 +2133,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ -<<<<<<< HEAD - if (cert->flags & (X509_CA | X509_OCSP_SIGNER)) -======= if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN)) ->>>>>>> upstream/4.5.1 { chunk_t keyid; @@ -2574,17 +2161,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid)))); } } -<<<<<<< HEAD - if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr || - crlDistributionPoints.ptr) - { - extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", - asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm", - basicConstraints, keyUsage, subjectKeyIdentifier, - authKeyIdentifier, subjectAltNames, - extendedKeyUsage, crlDistributionPoints, - authorityInfoAccess)); -======= if (cert->permitted_names->get_count(cert->permitted_names) || cert->excluded_names->get_count(cert->excluded_names)) @@ -2732,7 +2308,6 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, extendedKeyUsage, crlDistributionPoints, authorityInfoAccess, nameConstraints, certPolicies, policyMappings, policyConstraints, inhibitAnyPolicy)); ->>>>>>> upstream/4.5.1 } cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", @@ -2815,10 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; hash_algorithm_t digest_alg = HASH_SHA1; -<<<<<<< HEAD -======= u_int constraint; ->>>>>>> upstream/4.5.1 cert = create_empty(); while (TRUE) @@ -2862,15 +2434,6 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) { enumerator_t *enumerator; linked_list_t *list; -<<<<<<< HEAD - char *uri; - - list = va_arg(args, linked_list_t*); - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &uri)) - { - cert->crl_uris->insert_last(cert->crl_uris, strdup(uri)); -======= x509_cdp_t *in, *cdp; list = va_arg(args, linked_list_t*); @@ -2882,7 +2445,6 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, ); cert->crl_uris->insert_last(cert->crl_uris, cdp); ->>>>>>> upstream/4.5.1 } enumerator->destroy(enumerator); continue; @@ -2903,13 +2465,6 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) continue; } case BUILD_PATHLEN: -<<<<<<< HEAD - cert->pathLenConstraint = va_arg(args, int); - if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127) - { - cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; - } -======= constraint = va_arg(args, u_int); cert->pathLenConstraint = (constraint < 128) ? constraint : X509_NO_CONSTRAINT; @@ -3000,7 +2555,6 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) constraint = va_arg(args, u_int); cert->inhibit_any = (constraint < 128) ? constraint : X509_NO_CONSTRAINT; ->>>>>>> upstream/4.5.1 continue; case BUILD_NOT_BEFORE_TIME: cert->notBefore = va_arg(args, time_t); |